.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "KDB5_LDAP_UTIL" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.SH SYNOPSIS
.sp
\fBkdb5_ldap_util\fP
[\fB\-D\fP \fIuser_dn\fP [\fB\-w\fP \fIpasswd\fP]]
[\fB\-H\fP \fIldapuri\fP]
\fBcommand\fP
[\fIcommand_options\fP]
.SH DESCRIPTION
.sp
kdb5_ldap_util allows an administrator to manage realms, Kerberos
services and ticket policies.
.SH COMMAND-LINE OPTIONS
.INDENT 0.0
.TP
\fB\-r\fP \fIrealm\fP
Specifies the realm to be operated on.
.TP
\fB\-D\fP \fIuser_dn\fP
Specifies the Distinguished Name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.
.TP
\fB\-w\fP \fIpasswd\fP
Specifies the password of \fIuser_dn\fP\&.  This option is not
recommended.
.TP
\fB\-H\fP \fIldapuri\fP
Specifies the URI of the LDAP server.
.UNINDENT
.sp
By default, kdb5_ldap_util operates on the default realm (as specified
in \fI\%krb5.conf\fP) and connects and authenticates to the LDAP
server in the same manner as :ref:kadmind(8)\(ga would given the
parameters in \fI\%[dbdefaults]\fP in \fI\%kdc.conf\fP\&.
.SH COMMANDS
.SS create
.INDENT 0.0
.INDENT 3.5
\fBcreate\fP
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
[\fB\-sscope\fP \fIsearch_scope\fP]
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
[\fB\-k\fP \fImkeytype\fP]
[\fB\-kv\fP \fImkeyVNO\fP]
[\fB\-M\fP \fImkeyname\fP]
[\fB\-m|\-P\fP \fIpassword\fP|\fB\-sf\fP \fIstashfilename\fP]
[\fB\-s\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
.UNINDENT
.UNINDENT
.sp
Creates realm in directory. Options:
.INDENT 0.0
.TP
\fB\-subtrees\fP \fIsubtree_dn_list\fP
Specifies the list of subtrees containing the principals of a
realm.  The list contains the DNs of the subtree objects separated
by colon (\fB:\fP).
.TP
\fB\-sscope\fP \fIsearch_scope\fP
Specifies the scope for searching the principals under the
subtree.  The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
\fB\-containerref\fP \fIcontainer_reference_dn\fP
Specifies the DN of the container object in which the principals
of a realm will be created.  If the container reference is not
configured for a realm, the principals will be created in the
realm container.
.TP
\fB\-k\fP \fImkeytype\fP
Specifies the key type of the master key in the database.  The
default is given by the \fBmaster_key_type\fP variable in
\fI\%kdc.conf\fP\&.
.TP
\fB\-kv\fP \fImkeyVNO\fP
Specifies the version number of the master key in the database;
the default is 1.  Note that 0 is not allowed.
.TP
\fB\-M\fP \fImkeyname\fP
Specifies the principal name for the master key in the database.
If not specified, the name is determined by the
\fBmaster_key_name\fP variable in \fI\%kdc.conf\fP\&.
.TP
\fB\-m\fP
Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.
.TP
\fB\-P\fP \fIpassword\fP
Specifies the master database password. This option is not
recommended.
.TP
\fB\-sf\fP \fIstashfilename\fP
Specifies the stash file of the master database password.
.TP
\fB\-s\fP
Specifies that the stash file is to be created.
.TP
\fB\-maxtktlife\fP \fImax_ticket_life\fP
(\fI\%getdate time\fP string) Specifies maximum ticket life for
principals in this realm.
.TP
\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
(\fI\%getdate time\fP string) Specifies maximum renewable life of
tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
Specifies global ticket flags for the realm.  Allowable flags are
documented in the description of the \fBadd_principal\fP command in
\fI\%kadmin\fP\&.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    \-r ATHENA.MIT.EDU create \-subtrees o=org \-sscope SUB
Password for \(dqcn=admin,o=org\(dq:
Initializing database for realm \(aqATHENA.MIT.EDU\(aq
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re\-enter KDC database master key to verify:
.EE
.UNINDENT
.UNINDENT
.SS modify
.INDENT 0.0
.INDENT 3.5
\fBmodify\fP
[\fB\-subtrees\fP \fIsubtree_dn_list\fP]
[\fB\-sscope\fP \fIsearch_scope\fP]
[\fB\-containerref\fP \fIcontainer_reference_dn\fP]
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
.UNINDENT
.UNINDENT
.sp
Modifies the attributes of a realm.  Options:
.INDENT 0.0
.TP
\fB\-subtrees\fP \fIsubtree_dn_list\fP
Specifies the list of subtrees containing the principals of a
realm.  The list contains the DNs of the subtree objects separated
by colon (\fB:\fP).  This list replaces the existing list.
.TP
\fB\-sscope\fP \fIsearch_scope\fP
Specifies the scope for searching the principals under the
subtrees.  The possible values are 1 or one (one level), 2 or sub
(subtrees).
.TP
\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the
container object in which the principals of a realm will be
created.
.TP
\fB\-maxtktlife\fP \fImax_ticket_life\fP
(\fI\%getdate time\fP string) Specifies maximum ticket life for
principals in this realm.
.TP
\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
(\fI\%getdate time\fP string) Specifies maximum renewable life of
tickets for principals in this realm.
.TP
.B \fIticket_flags\fP
Specifies global ticket flags for the realm.  Allowable flags are
documented in the description of the \fBadd_principal\fP command in
\fI\%kadmin\fP\&.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
shell% kdb5_ldap_util \-r ATHENA.MIT.EDU \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu modify +requires_preauth
Password for \(dqcn=admin,o=org\(dq:
shell%
.EE
.UNINDENT
.UNINDENT
.SS view
.INDENT 0.0
.INDENT 3.5
\fBview\fP
.UNINDENT
.UNINDENT
.sp
Displays the attributes of a realm.
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    \-r ATHENA.MIT.EDU view
Password for \(dqcn=admin,o=org\(dq:
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
Subtree: ou=servers,o=org
SearchScope: ONE
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.EE
.UNINDENT
.UNINDENT
.SS destroy
.INDENT 0.0
.INDENT 3.5
\fBdestroy\fP [\fB\-f\fP]
.UNINDENT
.UNINDENT
.sp
Destroys an existing realm. Options:
.INDENT 0.0
.TP
\fB\-f\fP
If specified, will not prompt the user for confirmation.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
shell% kdb5_ldap_util \-r ATHENA.MIT.EDU \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu destroy
Password for \(dqcn=admin,o=org\(dq:
Deleting KDC database of \(aqATHENA.MIT.EDU\(aq, are you sure?
(type \(aqyes\(aq to confirm)? yes
OK, deleting database of \(aqATHENA.MIT.EDU\(aq...
shell%
.EE
.UNINDENT
.UNINDENT
.SS list
.INDENT 0.0
.INDENT 3.5
\fBlist\fP
.UNINDENT
.UNINDENT
.sp
Lists the names of realms under the container.
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
shell% kdb5_ldap_util \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu list
Password for \(dqcn=admin,o=org\(dq:
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA\-LAB.MIT.EDU
shell%
.EE
.UNINDENT
.UNINDENT
.SS stashsrvpw
.INDENT 0.0
.INDENT 3.5
\fBstashsrvpw\fP
[\fB\-f\fP \fIfilename\fP]
\fIname\fP
.UNINDENT
.UNINDENT
.sp
Allows an administrator to store the password for service object in a
file so that KDC and Administration server can use it to authenticate
to the LDAP server.  Options:
.INDENT 0.0
.TP
\fB\-f\fP \fIfilename\fP
Specifies the complete path of the service password file. By
default, \fB/usr/local/var/service_passwd\fP is used.
.TP
.B \fIname\fP
Specifies the name of the object whose password is to be stored.
If \fI\%krb5kdc\fP or \fI\%kadmind\fP are configured for
simple binding, this should be the distinguished name it will
use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP
variable in \fI\%kdc.conf\fP\&.  If the KDC or kadmind is
configured for SASL binding, this should be the authentication
name it will use as given by the \fBldap_kdc_sasl_authcid\fP or
\fBldap_kadmind_sasl_authcid\fP variable.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile
    cn=service\-kdc,o=org
Password for \(dqcn=service\-kdc,o=org\(dq:
Re\-enter password for \(dqcn=service\-kdc,o=org\(dq:
.EE
.UNINDENT
.UNINDENT
.SS create_policy
.INDENT 0.0
.INDENT 3.5
\fBcreate_policy\fP
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Creates a ticket policy in the directory.  Options:
.INDENT 0.0
.TP
\fB\-maxtktlife\fP \fImax_ticket_life\fP
(\fI\%getdate time\fP string) Specifies maximum ticket life for
principals.
.TP
\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP
(\fI\%getdate time\fP string) Specifies maximum renewable life of
tickets for principals.
.TP
.B \fIticket_flags\fP
Specifies the ticket flags.  If this option is not specified, by
default, no restriction will be set by the policy.  Allowable
flags are documented in the description of the \fBadd_principal\fP
command in \fI\%kadmin\fP\&.
.TP
.B \fIpolicy_name\fP
Specifies the name of the ticket policy.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    \-r ATHENA.MIT.EDU create_policy \-maxtktlife \(dq1 day\(dq
    \-maxrenewlife \(dq1 week\(dq \-allow_postdated +needchange
    \-allow_forwardable tktpolicy
Password for \(dqcn=admin,o=org\(dq:
.EE
.UNINDENT
.UNINDENT
.SS modify_policy
.INDENT 0.0
.INDENT 3.5
\fBmodify_policy\fP
[\fB\-maxtktlife\fP \fImax_ticket_life\fP]
[\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP]
[\fIticket_flags\fP]
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Modifies the attributes of a ticket policy.  Options are same as for
\fBcreate_policy\fP\&.
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util \-D cn=admin,o=org \-H
    ldaps://ldap\-server1.mit.edu \-r ATHENA.MIT.EDU modify_policy
    \-maxtktlife \(dq60 minutes\(dq \-maxrenewlife \(dq10 hours\(dq
    +allow_postdated \-requires_preauth tktpolicy
Password for \(dqcn=admin,o=org\(dq:
.EE
.UNINDENT
.UNINDENT
.SS view_policy
.INDENT 0.0
.INDENT 3.5
\fBview_policy\fP
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Displays the attributes of the named ticket policy.
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    \-r ATHENA.MIT.EDU view_policy tktpolicy
Password for \(dqcn=admin,o=org\(dq:
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
Maximum renewable life: 0 days 10:00:00
Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.EE
.UNINDENT
.UNINDENT
.SS destroy_policy
.INDENT 0.0
.INDENT 3.5
\fBdestroy_policy\fP
[\fB\-force\fP]
\fIpolicy_name\fP
.UNINDENT
.UNINDENT
.sp
Destroys an existing ticket policy.  Options:
.INDENT 0.0
.TP
\fB\-force\fP
Forces the deletion of the policy object.  If not specified, the
user will be prompted for confirmation before deleting the policy.
.TP
.B \fIpolicy_name\fP
Specifies the name of the ticket policy.
.UNINDENT
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    \-r ATHENA.MIT.EDU destroy_policy tktpolicy
Password for \(dqcn=admin,o=org\(dq:
This will delete the policy object \(aqtktpolicy\(aq, are you sure?
(type \(aqyes\(aq to confirm)? yes
** policy object \(aqtktpolicy\(aq deleted.
.EE
.UNINDENT
.UNINDENT
.SS list_policy
.INDENT 0.0
.INDENT 3.5
\fBlist_policy\fP
.UNINDENT
.UNINDENT
.sp
Lists ticket policies.
.sp
Example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
kdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap\-server1.mit.edu
    \-r ATHENA.MIT.EDU list_policy
Password for \(dqcn=admin,o=org\(dq:
tktpolicy
tmppolicy
userpolicy
.EE
.UNINDENT
.UNINDENT
.SH ENVIRONMENT
.sp
See \fI\%kerberos\fP for a description of Kerberos environment
variables.
.SH SEE ALSO
.sp
\fI\%kadmin\fP, \fI\%kerberos\fP
.SH AUTHOR
MIT
.SH COPYRIGHT
1985-2025, MIT
.\" Generated by docutils manpage writer.
.
